|
|
836b22 |
From e61f36189c4354a202f2b3bee86a026c7080690f Mon Sep 17 00:00:00 2001
|
|
|
836b22 |
From: Alexey Tikhonov <atikhono@redhat.com>
|
|
|
836b22 |
Date: Tue, 29 Jan 2019 12:13:30 +0100
|
|
|
836b22 |
Subject: [PATCH 5/9] providers/proxy: fixed erroneous free of orig_grp
|
|
|
836b22 |
MIME-Version: 1.0
|
|
|
836b22 |
Content-Type: text/plain; charset=UTF-8
|
|
|
836b22 |
Content-Transfer-Encoding: 8bit
|
|
|
836b22 |
|
|
|
836b22 |
Function `remove_duplicate_group_members(mem_ctx, orig_grp, new_grp)`
|
|
|
836b22 |
in case of empty orig_grp would return as a result:
|
|
|
836b22 |
```
|
|
|
836b22 |
*new_grp = talloc_steal(mem_ctx, orig_grp);
|
|
|
836b22 |
```
|
|
|
836b22 |
Since mem_ctx is freed in caller function that leads to deallocation
|
|
|
836b22 |
of orig_grp and to "use after free" bug.
|
|
|
836b22 |
|
|
|
836b22 |
Code was changes so remove_duplicate_group_members() behaves consistently
|
|
|
836b22 |
and always returns a new group created in given mem context.
|
|
|
836b22 |
|
|
|
836b22 |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
836b22 |
|
|
|
836b22 |
cherry picked from commit cd1538bc92a319a19915d3a19efd9d5e013f7e75
|
|
|
836b22 |
and amended with
|
|
|
836b22 |
commit e1b678c0cce73494d986610920b03956c1dbb62a by Lukas Slebodnik
|
|
|
836b22 |
|
|
|
836b22 |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
836b22 |
---
|
|
|
836b22 |
src/providers/proxy/proxy_id.c | 70 ++++++++++++++++++----------------
|
|
|
836b22 |
1 file changed, 38 insertions(+), 32 deletions(-)
|
|
|
836b22 |
|
|
|
836b22 |
diff --git a/src/providers/proxy/proxy_id.c b/src/providers/proxy/proxy_id.c
|
|
|
836b22 |
index 3e8a43ad7..25e866bfb 100644
|
|
|
836b22 |
--- a/src/providers/proxy/proxy_id.c
|
|
|
836b22 |
+++ b/src/providers/proxy/proxy_id.c
|
|
|
836b22 |
@@ -597,8 +597,32 @@ static errno_t remove_duplicate_group_members(TALLOC_CTX *mem_ctx,
|
|
|
836b22 |
return ENOMEM;
|
|
|
836b22 |
}
|
|
|
836b22 |
|
|
|
836b22 |
+ grp = talloc(tmp_ctx, struct group);
|
|
|
836b22 |
+ if (grp == NULL) {
|
|
|
836b22 |
+ DEBUG(SSSDBG_OP_FAILURE, "talloc failed.\n");
|
|
|
836b22 |
+ ret = ENOMEM;
|
|
|
836b22 |
+ goto done;
|
|
|
836b22 |
+ }
|
|
|
836b22 |
+
|
|
|
836b22 |
+ grp->gr_gid = orig_grp->gr_gid;
|
|
|
836b22 |
+
|
|
|
836b22 |
+ grp->gr_name = talloc_strdup(grp, orig_grp->gr_name);
|
|
|
836b22 |
+ if (grp->gr_name == NULL) {
|
|
|
836b22 |
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
|
|
|
836b22 |
+ ret = ENOMEM;
|
|
|
836b22 |
+ goto done;
|
|
|
836b22 |
+ }
|
|
|
836b22 |
+
|
|
|
836b22 |
+ grp->gr_passwd = talloc_strdup(grp, orig_grp->gr_passwd);
|
|
|
836b22 |
+ if (grp->gr_passwd == NULL) {
|
|
|
836b22 |
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
|
|
|
836b22 |
+ ret = ENOMEM;
|
|
|
836b22 |
+ goto done;
|
|
|
836b22 |
+ }
|
|
|
836b22 |
+
|
|
|
836b22 |
if (orig_grp->gr_mem == NULL) {
|
|
|
836b22 |
- ret = ENOENT;
|
|
|
836b22 |
+ grp->gr_mem = NULL;
|
|
|
836b22 |
+ ret = EOK;
|
|
|
836b22 |
goto done;
|
|
|
836b22 |
}
|
|
|
836b22 |
|
|
|
836b22 |
@@ -607,7 +631,14 @@ static errno_t remove_duplicate_group_members(TALLOC_CTX *mem_ctx,
|
|
|
836b22 |
orig_member_count = i;
|
|
|
836b22 |
|
|
|
836b22 |
if (orig_member_count == 0) {
|
|
|
836b22 |
- ret = ENOENT;
|
|
|
836b22 |
+ grp->gr_mem = talloc_zero_array(grp, char *, 1);
|
|
|
836b22 |
+ if (grp->gr_mem == NULL) {
|
|
|
836b22 |
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_zero_array failed.\n");
|
|
|
836b22 |
+ ret = ENOMEM;
|
|
|
836b22 |
+ goto done;
|
|
|
836b22 |
+ }
|
|
|
836b22 |
+ grp->gr_mem[0] = NULL;
|
|
|
836b22 |
+ ret = EOK;
|
|
|
836b22 |
goto done;
|
|
|
836b22 |
}
|
|
|
836b22 |
|
|
|
836b22 |
@@ -636,14 +667,8 @@ static errno_t remove_duplicate_group_members(TALLOC_CTX *mem_ctx,
|
|
|
836b22 |
|
|
|
836b22 |
member_count = hash_count(member_tbl);
|
|
|
836b22 |
if (member_count == 0) {
|
|
|
836b22 |
- ret = ENOENT;
|
|
|
836b22 |
- goto done;
|
|
|
836b22 |
- }
|
|
|
836b22 |
-
|
|
|
836b22 |
- grp = talloc(tmp_ctx, struct group);
|
|
|
836b22 |
- if (grp == NULL) {
|
|
|
836b22 |
- DEBUG(SSSDBG_OP_FAILURE, "talloc failed.\n");
|
|
|
836b22 |
- ret = ENOMEM;
|
|
|
836b22 |
+ DEBUG(SSSDBG_CRIT_FAILURE, "Empty resulting hash table - must be internal bug.\n");
|
|
|
836b22 |
+ ret = EINVAL;
|
|
|
836b22 |
goto done;
|
|
|
836b22 |
}
|
|
|
836b22 |
|
|
|
836b22 |
@@ -673,32 +698,13 @@ static errno_t remove_duplicate_group_members(TALLOC_CTX *mem_ctx,
|
|
|
836b22 |
}
|
|
|
836b22 |
grp->gr_mem[i] = NULL;
|
|
|
836b22 |
|
|
|
836b22 |
- grp->gr_gid = orig_grp->gr_gid;
|
|
|
836b22 |
-
|
|
|
836b22 |
- grp->gr_name = talloc_strdup(grp, orig_grp->gr_name);
|
|
|
836b22 |
- if (grp->gr_name == NULL) {
|
|
|
836b22 |
- DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
|
|
|
836b22 |
- ret = ENOMEM;
|
|
|
836b22 |
- goto done;
|
|
|
836b22 |
- }
|
|
|
836b22 |
-
|
|
|
836b22 |
- grp->gr_passwd = talloc_strdup(grp, orig_grp->gr_passwd);
|
|
|
836b22 |
- if (grp->gr_passwd == NULL) {
|
|
|
836b22 |
- DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
|
|
|
836b22 |
- ret = ENOMEM;
|
|
|
836b22 |
- goto done;
|
|
|
836b22 |
- }
|
|
|
836b22 |
-
|
|
|
836b22 |
- *_grp = talloc_steal(mem_ctx, grp);
|
|
|
836b22 |
ret = EOK;
|
|
|
836b22 |
|
|
|
836b22 |
done:
|
|
|
836b22 |
- talloc_zfree(tmp_ctx);
|
|
|
836b22 |
-
|
|
|
836b22 |
- if (ret == ENOENT) {
|
|
|
836b22 |
- *_grp = talloc_steal(mem_ctx, orig_grp);
|
|
|
836b22 |
- ret = EOK;
|
|
|
836b22 |
+ if (ret == EOK) {
|
|
|
836b22 |
+ *_grp = talloc_steal(mem_ctx, grp);
|
|
|
836b22 |
}
|
|
|
836b22 |
+ talloc_zfree(tmp_ctx);
|
|
|
836b22 |
|
|
|
836b22 |
return ret;
|
|
|
836b22 |
}
|
|
|
836b22 |
--
|
|
|
836b22 |
2.21.1
|
|
|
836b22 |
|